Named Pipe to have its own dedicated class #274

Noafr · 2022-10-02T18:09:52Z

Noafr
Oct 2, 2022

It was previously suggested that Named Pipe will move from Kernel Activity to the File Activity category
file.type_id 6 represents 'Named Pipe', so in theory, one could use it for named pipes-related events

With that said, named Pipes events to have multiple unique fields (ENUMs) that aren`t relevant to the existing file events but that are needed for threat hunting/analysis. For example:

NamedPipe Access Mode (Access Duplex, Access Inbound, Access Outbound)
NamedPipe Type Mode (Byte, Message)
NamedPipe Read Mode (Byte, Message)
NamedPipe Wait Mode (Blocking Wait, Non-Blocking Wait)
NamedPipe Remote Clients (Accept, Reject)
NamedPipe Connection Type (Local,Remote)
For more info see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea

With the above in mind, it might be worth having a dedicated class for Named Pipes.

Should Named Pipe events have their own class?

Yes

0%

No

0%

0 votes

Noafr · 2022-10-14T14:28:30Z

Noafr
Oct 14, 2022
Author

@rroupski have we determined the next steps here?

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Named Pipe to have its own dedicated class #274

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Named Pipe to have its own dedicated class #274

Noafr Oct 2, 2022

Replies: 1 comment

Noafr Oct 14, 2022 Author

Noafr
Oct 2, 2022

Noafr
Oct 14, 2022
Author